[Mailman-Developers] bugtraq submission warning: email address harvesting exploit

Barry Warsaw barry at python.org
Thu Nov 27 13:23:38 EST 2003

On Thu, 2003-11-27 at 12:08, Terri Oda wrote:

> > Better is to simply teach the archives not to distribute sensitive  
> > information at all. And a lot easier to implement, actually.
> So, is anyone working on this *within* pipermail?  I know there are great
> alternative archivers out there, but Mailman still winds up with a bad
> reputation if the default isn't very secure.  Maybe for 2.2 we could have a
> "completely obscure archived email addresses" option which changed them all
> to user at xxxxxx.  

No one's working on it AFAIK, but I agree that this is the right
approach.  I'm not sure how to go about this within the Mailman 2.1
series though, because currently only the private archives are accessed
programmatically.  That may be a good first step though -- add the
obscuring stuff to the private archive cgi and then if that works out
well, provide a way to make a public archive vend through the private
archive cgi (one way: enable private archives with no password).  It's
still arguably a new feature, but perhaps we could sneak it in as a bug


More information about the Mailman-Developers mailing list